Press ESC to close

U.S. Organization in China Targeted by Attackers

Category Details
Threat Actors Likely China-based attackers; potential links to Daggerfly and Crimson Palace espionage groups.
Campaign Overview Four-month-long intrusion targeting a U.S. organization with a presence in China, aimed at intelligence gathering.
Target Regions U.S. organization, possibly with interests extending to Southeast Asia.
Methodology Persistent network access, lateral movement, data exfiltration, and intelligence gathering.
Product Targeted Microsoft Exchange Servers (email harvesting), Active Directory.
Malware Reference CoreFoundation.dll, textinputhost.dat, gtn.dll.
Tools Used Impacket, FileZilla, PSCP (renamed as vmtools.exe), PsExec, PowerShell, reg.exe, WMI, GoogleToolbarNotifier, iTunesHelper, GoogleUpdate.
Vulnerabilities Exploited Not specified, but involved DLL sideloading, Kerberoasting, and potential use of public AD exploitation tools.
TTPs DLL sideloading, Kerberoasting, credential dumping, living-off-the-land techniques, exfiltration via FTP/SFTP.
Attribution Evidence points to Chinese APT groups; file usage and methodologies align with known Chinese tactics.
Recommendations Implement endpoint behavioral protection, monitor anomalous command-line activity, restrict PowerShell usage, and enable auditing of AD and Exchange servers.
Source Symantec 

Read full article: https://www.security.com/threat-intelligence/us-china-espionage

Disclaimer: The above summary has been generated by an AI language model

Leave a Reply

Your email address will not be published. Required fields are marked *